GPSolo Magazine - January/February 2006

Civil Liability on the Internet

By Jay C. Carle and Henry H. Perritt Jr.

The Internet revolution has taken a central role in American society. The Internet is a shopping mall, community center, bank, insurance broker, grocery store, news source, and a way to handle myriad day-to-day chores such as renewing your driver’s license. Although the Internet is an exciting new forum for informational and commercial exchange, it is also an instrument of many civil wrongs, appropriately termed “cyber-torts.” Cybertort harm includes financial injuries, reputational damage, theft of trade secrets, and invasions of privacy. The information industry is insulated from accountability for this harm, much as the railroads, canals, utilities, and factory industries of nineteenth-century America were shielded from liability. The harm caused by Internet-related frauds, defective software, and the failure to adequately secure online data is increasing commensurate with our dependence on computers and the Internet. The common law must expand to perform its traditional function of allocating the burdens associated with risks of harm so as to maximize social welfare, which includes both technological innovation and consumer peace of mind.

According to the Internet Crime Complaint Center, consumers in 2004 submitted more than 207,000 complaints, marking a 66 percent increase over 2003 ( www.ifccfbi.gov/strategy/2004_IC3Report.pdf). These complaints included incidents of computer intrusions, spam, and child pornography as well as many different types of fraud, including non-delivery of merchandise, advance-fee scams (false promises of riches if consumers transfer money to seemingly legitimate bank accounts), and online “phishing” expeditions for sensitive personal information such as user names and passwords, bank account numbers, and Social Security Numbers. On a broader scale, consumers are paying closer attention to the risk of security-related breaches of networks and databases, particularly in the wake of high-profile information security breaches such as the CardSystems debacle. In May 2005, CardSystems Solutions Inc., a credit card payment processing firm, identified a security breach by computer hackers who had introduced malicious code into their computer systems last fall, exposing as many as 40 million credit card holders to possible fraud. These types of large-scale security breaches are possible only because of sloppy software design and lax system administration.

Because of the anonymity that the Internet offers and the difficulty of identifying the primary wrongdoer, it is fair to say that the vast majority of consumers do not even file claims for their injuries or losses. What is more, pursuing the primary cyber-tortfeasor is rarely a realistic option, given that much of the wrongdoing originates in a foreign venue. The average consumer is left holding the bag.

Legislators and agency administrators are wringing their hands, trying to figure out a regulatory regime to respond, while the Internet industry fiercely resists any new regulatory burden. The hand-wringing can stop. A legal regime already exists. It is called “negligence.” Institutions already exist to administer the regime. They are called “courts.” No new civil servants need to be hired. Thousands of private lawyers already are available to receive and act on consumer complaints. Fears about big government can be set aside. The common law is already privatized and decentralized.

Liability should be placed on intermediaries such as Internet service providers (ISPs), websites, online information brokers, and software manufacturers who are in the best position to mitigate damages from online fraudulent schemes, online defamation, and computer security breaches that cause injury to consumers. The legal landscape for consumers seeking redress for cyber-injury under traditional negligence principles, however, is bleak. To succeed on a negligence claim, the client has to prove every element under traditional negligence theory. There are many challenges to overcome.

Duty of Care

First, the client must prove that the defendant ISP or Internet-based company owes a duty of care to the consumer. A defendant owes a duty of reasonable care to persons within the zone of foreseeable danger caused by the defendant’s acts or omissions. Consequently, a website or Internet portal that hosts or serves as an intermediary to online fraudulent schemes, website defamation, or other information-based torts and has actual or reasonable knowledge of such activity should have a duty to take measures to protect consumers—or at least to warn them. However, consumers enjoy no such protection—even if an ISP has actual knowledge that its services are a medium for fraud. The Communications Decency Act of 1996 provides online service providers with immunity from liability.

Section 230 of the Communications Decency Act (47 U.S.C. § 230 (2005)) provides ISPs and other network administrators with a limited immunity from liability for harmful content accessible through their facilities. It provides that “No provider . . . of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider” (§230(c)(1)). The legislative history of the section shows that it primarily was intended to shield intermediaries from defamation liability. It expressly exempts intellectual property infringements from its scope. Its language could be interpreted, however, to protect service providers from liability for fraudulent content authored by others. It would not protect service providers from liability for injury occasioned by network intrusions or harmful access to databases maintained by the service provider.

Internet-based companies that store personal information have a duty to take reasonable steps to protect that information from hackers. Business conducted over the Internet is similar to business involving common areas and traditional stores. Because the threat of Internet worms, computer hackers, and defective software is widely known, a plaintiff would argue that a firm maintaining a virtual common area and store knows or should have known of the risks of computer security breaches. Any firm engaging in these activities owes a duty to implement proper security measures for its online customers, protecting those within its “common areas” by taking appropriate security measures to protect the information.

Standard of Care

Second, a plaintiff alleging negligence must identify the appropriate standard of care to which the defendant should adhere to protect against injury. In other words, what must an Internet-based company or ISP do to provide “reasonable” protection from fraudulent schemes or computer security breaches? No formal professional standards of care exist in the information technology industry resembling codes of professional conduct for physicians, lawyers, or engineers. Anyone can claim to be a computer professional and establish an ISP or e-commerce company. And, although there are several industry certifications and security standards, Internet firms are under no professional obligation to implement them. One answer to the standard of care question comes from the traditional risk-utility analysis, embedded in common-law negligence.

The public policy concept embodied in the risk-utility formula is that precautions should not cost more than the harm that they are intended to prevent. In other words, a person is negligent if she or he causes harm that could have been avoided at less than the expected cost of the injury. The aggregate harm caused by identity fraud is staggering. The 2005 Identity Fraud Survey Report, issued by Javelin Strategy and Research and the Better Business Bureau (www.javelinstrategy.com/reports/2005IdentityFraudSurveyReport.html), states that 9.3 million people—or about 4.25 percent of the adult population—are victims of some form of identity theft every year. The estimated out-of- pocket costs of this identity theft are about $52.6 billion annually. While most of this cost is borne by businesses, 33 percent of affected consumers have an average out-of-pocket cost of $652. In addition, victims on average spent 28 hours resolving credit, financial, and other problems caused by this type of fraud. The same report indicates, however, that only 11.6 percent of consumer information is obtained online through hacking, phishing, and other online frauds, whereas 68.2 percent is obtained through traditional means such as lost or stolen wallets and information being accessed during offline transactions.

Nevertheless, the risk of online security-related breaches is a growing threat. The 2004 E-Crime Watch survey, conducted by CSO magazine in cooperation with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s Computer Emergency Response Team ( www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf), shows that the risk of computer security breaches is rising. Forty-three percent of respondents report an increase in e-crimes and intrusions versus the previous year, and 70 percent report at least one e-crime or intrusion was committed against their organization.

Consider the CardSystems online security breach. It provides an opportunity to compare the burden of taking steps to prevent injury with the risk of harm. According to an article by Jonathan Krim in the July 22, 2005, issue of the Washington Post ( www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465.html), of the 40 million credit card numbers in CardSystems’ databanks, roughly 240,000 are known to have been downloaded by hackers. Let’s say that a small number of these, 10 percent, were fraudulently misused. Even then, if only 33 percent of these affected consumers paid an out-of-pocket expense of $652 as a result of the breach, then the total aggregate consumer loss is over $5.1 million. This rough estimate does not even consider the hundreds of thousands of consumer hours lost trying to clear their names. As a threshold minimum level of care, a firm like CardSystems should be required to invest at least $5.1 million in preventive measures. The starting point would be regular technical security audits that evaluate current security risks, the potential injury to consumers, and the costs to the company and the consumer of eliminating those risks.

Breach of Duty

Failure to engage in such an analysis, or otherwise neglecting to take the most basic steps to mitigate the risk of harm to consumers, would fall well below the minimum level of care to establish a breach of duty—the third element in a negligence claim. In addition, a plaintiff should be permitted to assert various factual theories to show that the defendant breached the standard of reasonableness; perhaps an ISP failed to close down a hosted website or service that offered fraudulent services, or perhaps an Internet-based company failed to deploy basic security measures such as encryption, firewalls, and antivirus software.

Injury

Fourth, the ISP or Internet-based firm must cause the injury to the plaintiff. If the harm could have been prevented by the defendant, then actual cause is established. Besides showing actual cause, however, the plaintiff must show that the injury was foreseeable—this is the core requirement of “proximate cause.” Given widespread publicity regarding Internet fraud and online security breaches, it would be difficult to argue successfully that the danger of Internet fraud is unforeseeable. A legitimate legal challenge for the plaintiff, however, is to avoid a conclusion that the primary wrongdoer’s actions are an intervening event that broke the intermediary’s causal connection to the harm.

Lastly, a critical component in any action for negligence requires showing more than pure economic injury, no matter how much money is lost. Plaintiffs must establish, in most circumstances, personal injury or damaged property. This might be possible when the online fraud results in a damaged reputation, but for the vast majority of injured consumers common-law negligence’s economic-injury rule will serve as a bar to recovery. The economic- injury rule operates to police the boundary between contract and tort. Breach of contract becomes the exclusive remedy when no personal injury or damaged property results; yet consumers who clicked “I Agree” have undoubtedly restricted their ability to prevail in contracts cases by agreeing to a variety of disclaimers. The result of the economic loss rule is that consumers who have suffered only economic injury caused by the negligence of their ISP or other online service are left without remedy.

Of course, tort law cannot serve its function in this context unless class actions remain available to aggregate individual claims, each of which is likely to be uneconomic to litigate.

Traditional tort principles have not fully evolved to redress consumer fraud, invasions of privacy, and other online injuries suffered by consumers. Whether it be by a new body of tort law based on economic loss or the transformation of electronic information into a commodity in itself, it is certain that the common law will remain faithful to its historical roots and evolve to provide remedies for negligent computer administration or failing to prevent unauthorized access of personal information.

Jay C. Carle is project manager for the Center for Access to Justice and Technology, Chicago-Kent College of Law; he can be reached at jcarle@kentlaw.edu. Henry H. Perritt Jr. is professor of law at Chicago-Kent College of Law; he can be reached at hperritt@kentlaw.edu.